Resource Groups
Resource Groups are collections of resources, which can help simplify automation, management, and permissions at scale. By grouping resources, you can apply granular permissions to a subset of your cloud footprint; this functionality has numerous implementations and is particularly useful for scoping for custom visibility and custom policy. For example, a Resource Group can be used to identify specific resources to configure for automation through a certain Bot action. Resource Groups can be user-created or harvested from Cloud Service Provider's Resource Group equivalent. For example, an Azure Resource Group will be marked with an Azure icon.
Prerequisites
Before you get started with Resource Groups, ensure you have:
- A functioning InsightCloudSec platform installation
- The appropriate permissions to create and/or manage Resource Groups for your InsightCloudSec Organization
Explore Resource Groups
In InsightCloudSec, navigate to Inventory > Resource Groups to start exploring, creating, and managing Resource Groups. Click a Resource Group's name to open a summary page for the group.
Managing Resource Groups
Creating a Resource Group
The best way to create a Resource Group is directly from a selection on the Resources page.
To create a Resource Group:
- Navigate to Inventory > Resources.
- Scope the data as necessary. For more information on using this feature, see Resources.
- Navigate to a resource type using the tabs at the top.
- Click the resource type name.
- Check the box next to resources you wish to add to your Resource Group and click the Add to Resource Group icon.
- On the form that opens, click the Create New tab.
- Provide a name and description for the group, then click Submit
- Add dependencies, if desired, and repeat the steps to add new resources until you have added all of the desired resources for your new Resource Group.
Updating a Resource Group's Scope
If you need to update the scope of an existing Resource Group, it is easiest to do this directly from a selection on the Resources page.
To update a Resource Group's scope:
- Navigate to Inventory > Resources.
- Scope the data as necessary. For more information on using this feature, see Resources.
- Navigate to a resource type using the tabs at the top.
- Click the resource type name.
- Check the box next to resources you wish to add to your Resource Group and click the Add to Resource Group icon.
- On the form that opens, click the Add to Existing tab.
- From the Select Resource Group(s) drop-down menu, select all Resource Groups' scope you would like to update.
- Optionally, select Include Dependencies? to also include the selected Resource(s) dependencies.
- Click Submit.
Modifying a Resource Group's metadata
You can only modify a Resource Group that you have created.
To modify a Resource Group:
- Navigate to Inventory > Resource Groups.
- Locate the Resource Group you want to edit.
- Click the Action menu (...).
- Click Edit Group.
- Update the Name or Description as necessary.
- Click OK.
Deleting a Resource Group
You can only delete a Resource Group that you have created.
To delete a Resource Group:
- Navigate to Inventory > Resource Groups.
- Locate the Resource Group you want to delete.
- Click the Action menu (...).
- Click Delete Group.
- Click OK.
Using Resource Groups
Resource Groups are designed for scoping resources, Insights, and Bots. Resource Groups can scope based on any number of criteria, including permissions, automation, and compliance. Some examples of scoping include:
- A permission-based Resource Group, where an administrator can specify resources to narrow the visibility of resources that don't apply to certain users. For example, database administrators don't need to see every instance or web server; they are only interested in viewing database resources.
- A reactive Resource Group, where an administrator can use a Resource Group to only display resources that are monitored based on certain configured actions. For example, a Resource Group can be set up so that only database administrators can see where changes are being made to database resources.
- Resource Group curation using Bot actions (or automation) in one of two ways:
- Add to Resource Group. On occasion, users may want to use multiple Bots to add resources to a group. You can do this using the Bot action Add To Resource Group.
- This action will only add resources to a group and will not automatically remove resources that no longer apply.
- Curate Resource Group. InsightCloudSec includes a Bot action named Curate Resource Group, which when added to a Bot’s instruction set, assumes responsibility for maintaining the state of the Resource Group.
- This action can be used only as a one-to-one relationship between a single Bot and a single Resource Group.
- The Bot will automatically move resources in and out of the group as needed based on the configured policy.
- Add to Resource Group. On occasion, users may want to use multiple Bots to add resources to a group. You can do this using the Bot action Add To Resource Group.
Curating a Resource Group Example
In the following example, we show the steps required to create a sample Resource Group named Production Resources
. This group includes resources with the tag key environment
and a tag value of production
. The scope of the Bot will be set to look for appropriately tagged resources across Microsoft Azure, Amazon Web Services, and Google Compute Engine. Check out our documentation on BotFactory & Automation for additional details on working with Bots and automation.
To Create a Curation Bot:
- Go to Resource > Resource Groups and create a new Resource Group. This example uses the name
Production Resources
. - Create a new Bot. Go to Automation > BotFactory and click Create Bot.
- Enter the Bot details.
- Enter a name, description, and category. This example uses
Security
. - Configure the Bot's scope. The scope defines the resource(s) and cloud account(s) to be inspected. The scope of this example includes billable resource types across three cloud accounts--such as instances, database instances, volumes, and snapshots.
- (Optional) To configure the Bot to scan every configured cloud account, click Select All Clouds.
- Enter a name, description, and category. This example uses
- Configure the Query Filters. For this example, the Bot uses a single Query Filter that inspects resource tags and looks for a single key
Environment
with a single valueProduction
. - Configure the Bot's actions. The action used for this example is Curate Resource. Select that action from the listing and then use the drop-down to select the desired group,
Production Resources
. - Choose when the Bot will run. For this type of Bot, we recommend against using any of the Reactive options and instead relying on a set schedule (hourly, daily, etc.).
- Save the Bot. When done, you can perform a retroactive scan, and if you have resources that meet the configured filters, they should show up in the "Production Resources" group.
To Run Your Bot Immediately
Bots are created in a paused state. This is done to allow you to review your Bot first--an InsightCloudSec best practice--before running your Bot.
You can review your Bot using the Bot Overview window (see Overview of Your Bot below). When you are ready to run your Bot, go to the Bot Listing tab, and select Enable from the action icon next to the name of your Bot. Then return to the action icon and select 'On-demand Scan'.